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^,'-5 •;■ ' Beld of the inventihp !.'; :; • : ';,'"f'; ': - : ;"~ • £A';.v ' 7: : •■: ^ i jj 

• ; ' ■■- '' ' ■ • : ^ Men^'^'ates: tp ,^rhmunication; between a: pVivate; ■ neiwpHj^ancl" a . . 

]'. ■'. roaming mobile terminai. V" ] !'J : " " y ]y '.' :}'.'■'.. ». "■ 1 .: ' 

"■ •- Background nf t he' Ihventibq : : ".''.<■ .; : V'''"'.-:' ;..:.!•:! . 

•'; * : Man Y organisations utilise private networks/ whose bomh^ica^ons: W. * : 
10 terminals outside the private network pass through 'security gateways that protect ; 
the private network using techniques including firewalls. 

Protection of private corporate information ,is of utmost importance when 
designing an information infrastructure. However, the separate private networking : 
solutions are expensive and cannot be updated quickly to adapt to changes. In 
; business requireri^hfe: The Ifite^^^ 
not by ;;itself ensure privacy,. Virtual; private! networking; 'isi the dollecBon W ' ' ! 
technologies applied to a public network - in particular the Internet - to provide 
solutions for private, networking needs. Virtual private networks use obfuscatipn 
. through secure tunnels, rather than physical separation, to keep communications . 
20 - private. ... ' 

; •• / Virtual private, networks (VPN') accordingly enable private networks' to be 
- extended to enable securitised communication with roaming terminals,, that, is to ■ : 
; • say terminals situated, outside the private network, the communication passing for . "/ 
. example through the Internet and possibly! over mobile telephone networks! The 
25 .- Internet uses Internet Protocol' ('IP') and the communications of mobile terminals [ ■. 
••• often use. Mobile in(emet.Protocol('MlP').. .. : „ . 

K is expected that.ttie roaming usage of virtual private networks will becbmie " k 
• ' ,: bigger and rribre frequent.' Such' frequently toti^i^tf^^tf&fa', iy/ 1 
.; ; ' same lever of security as fixed or: occasional roaming terminals, through the: ''y 
•30 '. .cpfporate, VPN /fswi archldiii[a.' - '. 
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)}-\,-y -\-\ ffW^yfi ■[?W^^^^? a f , ? t i. f^^P^^tfVi ?*35^^!^;"?ip" P use~d for. the different"; ':' : ': 
•jy- . ■ [. ; rie^ jseciirity: Wft^ 

-;. ;:^?i n ^ NovernbeM^ 

; 5 : • ^telephone ^mmunj^abhi jjrotbc^ls'arb 'the. Mobile- IPv4 specifip^tion [C: Perkins,:: ; : . : f 

: y Vyheh ^ the^VRISI protocol jis; jPsec Enca^iilating Sec^ £v 
V- protocol is Mobile ifjj bbjh of tfiem belpg jmjSjerr^ntedjn the saVne -IP-layer, there' :. ' 
\ ■ \ : : > ^need: to specif ^ each : other vyhen . '-i 

y;XQ ' being simufe^ -,■ : 

- i : 4 Beyond -basic ; application order- (el^ \ 

first), the overall sblution must aim at meeting three major requirement ' ' ' 

• Security. The fact that VPN Infrastructure can support Mobile-IP users must 
not create new security flaws to any corporate entity (corporate network & 

15 1 mobile or .occasionally roaming users). Mobile IP enabled' devices must j 

provide mobile users with the same level of security ' as if they were 
:/ : ^\=-"^ ! Yf^ ? ^K l ^™*? € ? ^^^-^-f^^T^f^ .njHswprk. On the ;other : hand,. Mobile Jf , 

(Firewalls), and Mobile IP specific security mechanism must hot ! Interfere. 
20 with global security mechanism. 

• ■ Compatibility. A solution that enables optimised interaction between Mobile 
. y. IP and IPsec must: avoid heavily modifying protocol specifications. Futu^^ 
" f ::..:• evo,uti pns of Mobile IP & jpsec protocols mustnqt be made excessively 

" difficult due to the! use of an optimised combined sblution. bptimally, ^uch 

> 25 : *. { ■ ,, evo ' utions s ^ ou : 

• . Performance. The invention , 
;.. •; terms of. handover quality: the handover must be 'made as quick as.' : 

• ■ '.*-.. : possible.-, ;. . -. . -V ' ... ■ - ' 

t One example of a communication protocol for a virtual private network is the \ - 
39. .:. ESR; (Encapsulating iSecurity Paylbad) profocpi (S/- Kent, R; Atkinspn,v B IR • \ 
: V ■ Encapsulating Security Payload", Internet EnginWririg -Task Force (IETF); ' RFC , ;• , 
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rV'J =*■ =- ;J ; 7 '; S "■ '. ? s ^. r ^,^ liestinaliorf'acl^nes'sei arehot<^riged,';7 : i; •; '1.' ; f 
>.'4 A , : > ; & ^e;whple;:[n6oming. IP packet is Wnci^ted 'aodtdpBbnally (few 
7 : ' : aoiherittcateyV;- : ./-A ,v.: "■.< ;.7-'-:-7»7, ' 



/(recommended) , : - 

aotlieritjc*^ 

y' r »\e'?;. " : ^/W^ji peeN^p^er^6Ml-?rjie •!>- 

sender; (the: one;;:th^t. encrypts: arid :u»nnels)L and ' the, receiver (the'! on'e'tnaVv 

1 ,° ; for.ancryptlpn/decryp^n); The. set' of security', parameter (protocol; key, ! ' V' 
'•'!-••'•' ' ^? ,0 ? < ? l ^5*? n ^^* ,^,r, ^ .«!?o^w^ldi^ ;ifcjpifa^; 1„) institutes a so^alled ' 
. IPsec Security Association ('SA'). IPsec requires tw6 : SAs {an SA bundle) to obtain : 
a secured unidirectional communication: one on the sender and one on the , 
receiver (with some common parameters, for example the key). 
15 : As ia VPN communication is bidirectional (from Mobile Node ('MN') to VPN 
Gateway and from VPN Gateway to MN), two SA bundles are required: the first 

, tunnel, from VPN; Gateway to MNuJt must be noted that the designation '"VPN ' 
Gateway- is hot specified by the protocol: a VPN Gateway is simply the topotogic 
20 entity, that terminates, at the corporate network side, ail VPN secure tunnels, 
to/from roaming mobile nodes. ; 

•• : . >; : SA selectors are.used for the. processing of IPsec packets. Basically. SA 
, • selectorsare IP parameters that ape used by IPsec layer to check that' 

V. - A packet that is about to be sent on a tunnel defined by a certain outbound^ ="'. 
. 25 , SA is actually legitimate to be : sent with that SA (e.g. source & destination 
• : ; • . . addresses.of the packet match with source arid destination address of the . ' , 
SA). This test is' called the "outbound SA selector check".- ' ' ; 

7 ' . A packet that has been received from a tunnel-defined; by a certahr inbound . 
■SA is actually legitimate .to have, been received with thls SA:(e.g. source & 
destination addresses.of the: pabket ^ destination < ; 

address of the SA); This test is called the "inbound SA selector check": • • i 
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.;,;C;v;; : : " ti <k mustbe : p6ie[6 .that^s llVusfratediiri the^twb exa^ .1 
i ; £ d ^? ,^dedn^pn : ^ddiiress Will WcdrWidered in fhia;jrtvert«po *k SA^efectohs: 1 - ^ 

. ..; •* >: : -;r;^.J - Jwo families of propojsais address thjs sifuktlof^^lv'S:^ ";!-!" r i:- fv'^rY" ! 
' '/l .;5 V '! ; "y V JRsec tunnel in the MIP tunrieL • x {''-' ■'. ':. : : ; ; ; l! 5> f j: ; : '"; -r . "r-\? •■! '/ ;; . "."?> \ \ ; ' ; ■ 
; j . • ^ito ;fam"Hy:?f '^rop<^s/"the IPsec tunnel is; esfe&Ushed : betWe^fi the:jV:\ 

, :V|; . • > £xt6mal home agenj, the home agent is placed in frai^V^'tbe.JP^ecVdtevtfay , 

: : ^a^-^;-ci»^br^ firewall, J.e;- outside the Jionie Network/: Obyio^ , : . 

- " ■ ; ; f 1 6 ; ; de;ep security flaws;: fha main one is. that the home ajgeht fs : nb loriger protectee)^ by - ; 
■ trie common ^protection, (corporate firewali)' mechanism at me! border of the 
network. Indeed, a home agent placed outside the gateway does not benefit from 
any protection and become an easy target. This kind of security flaw could not be 
accepted when designing a VPN solution aimed at securing communications. 
15 Another problem stems from the tunnelling mechanism that does not cipher 

■ . , . . the MIP packets (the IPsec: tunnel. is inside ; the MIP -v. 
! y plain text. and any attacker with bad intentions. will ha^ 

fields, for instance the home address of the mobile node. Thus, this solution does 
not provide privacy and a malicious node might track all successive locations of a 
20 mobile node, identified through its home address. 

; MiP proxy.. This proposal is described in a.draft (F. Adrangi, P, Iyer, "Mobile : 
IPv4'Trayersal across VP^ / 
- adrahginn^ February 2002). -It .'assumes the creation 

: of a new entity called a Motile IP Proxy "that appears as a surrogate home agent " " 
: 25 ; from a mobile node point of view and conversely is viewed as a.'nyobils node fey ■_" 
' V*- e h ° me a 9 6 ^' T ^ ls solution is .also based on IPsec In.Mip tunnelling, which is 

, y '< less confidential in terms' of privacy than MIP in, IPsed as s^^ 

■ , « , the process of simple roaming requires hew signalling messag^^ 
\ , ; . ! .. M'P proxy, the VPN gateway, and the home agent: the MIP proxy ads as a 
. 30 . relay between the mobile node .and the; home agent ('HA'); it must be! aware' of 

. : exisbrigrprotectf6n between the mobile node and the" HA to forvyard valid request " 
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, :; by ; th e HA^ 

;.; r • YPN gatew^ln o^ Safety sends ; ba^ the^>'.; 

■ .packet;. V : v;-\ : .; ' X ;*!-.'£:: : V vi;: \' : " : -X './> ''.'■'J-;- 1 

; ■'■ j : ; ^ pr< T o««side «ie, protected domain in the'Derhilitarfeed ' 

, ■;; Zone ('DM?'), ttia^ betwe en "'v'' 

. • . - must not Interfere with the regtetratic^ procedure^eeo the proxy;. a hd the Home : "'■ 
Agent. This architecture implies possible security flaws since the corporate firewall 
must let any. packets between, the MIP proxy, and the Home Agent go through 
, wrthout further inspections: this can easily lead to compromise the entire corporate 
15 . network if ah attacker can manage to gain access to the MIP proxy. 
(191P tunnel In the IPsec tunnel 

>: y.'^V^ ^^ f bf P^Posals. an .IPsec tunnel is established" between" the ■> ' 
VPN Gateway and the Mbbile. f^ode Care-oMo'oVess. V \ : ■■ .' ■. ' 

One proposal that includes the MIP tunnel in the IPsec tunnel, has been 
20 described by the University of Bern, : Switzerland . at 
www.ram.unibe.ch/~rvs/publications/secmip_gi.pdf. The IPseo tunnel is. reset 
.. . before any new handover, When mpvfng to a new network, it has to be re- ' ' ' 
established through the. whole key distribution process: That handover mode ! ' 
.- - ; creates-unacceptabte latencies of maViy' seconds , inc6mpatible with classical' MIP ' 
25 requirements. ■ - . , ... 

•; Another. issue with this proposal consists in assuming that IPsec offers a ' 
sufficient protection and, as a consequence, in disabling authentication and replay 
. - protections during the MIP registration procedure. . Disabling, protections . on the ^ 

.^.^ti? anoptipn ihafdoes not m*:*^'^.***^^' . 
30 • : agente. dedicated to MIP-WN users. .as well as other home agents 1 dedicated. to> ' 
; simpte : MIP users that still use MIP. protections . . "V : v '. . ' 
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' v ' 1 : 1' ' ' v S"riimaiy fif We j'nvantmri ." 'I- : '- : ; ; ■ ^ V v i \\:ii< : y : >' :.- 

■ jT5;.! : !BWyid B sr j|baqn 6f.thQ V~ v .:."v> i-:-: :: ';->>:>. 

'• : .i'.V:" 9 "^;!^ ^^^te^am ^a^obileyirhfel p^ate' neh^ork' ^nario, : OV' 

»:. :.-■;•:••■ :; figure 31s ;a fipw chart: of exchanges in cb/nmunication: between^ private ' • 
; : ' : ■ network and a roaming' mobile terminal in accordance WithJpne embodiment of the •. 
10 Invenflan; given by way of example, and " ' • : . ; ." ■ 

Figure 4 is a flow chart of a process for reception of a registration request in 
the communication process illustrated in Figure 3. 

Petailed description of thft preferred ernhnrii^ oprc 

. .: F| 9, ur ?.Ts^ ■■ 

: 15 . network i: including a security gate^y'cornprisihg aVPNjgateway 2 aWa firewall ' : y 
y. 3, a mobile node 4 situated in the private network 1 and a home agent 5 for the : 

mobile node 4. The embodiment of the present invention shown in the drawings is 
:• applicable especially where the mobile node 4 is capable of communication overa 
. wireless link, which improves its ability to mam. both within and outside the p.rivate . 
'20 network 1 but this embodiment of the invention is a|so.applfcable where the mobile ' 
node'4 communicates' only over wire connections* , 

; figure 1 shows a scenario where the advantages of this embodiment bfthe :' 
; • invention are particularly appreciable,, where the moblle node Amoves outside the • 1 
; - : private network 1, first to a visited network 6 having a foreign agent 7 functioning 1 
: 25 ' "Pder mobile IPV4 protocol., .enabling communication of. the roaming mobile node 
"l ./^«ienet^ifce*|^h<He'iiifeyiet8^ 
. . the rbaming mbbile node. 4 then: moves to. a seconds visited network 9, having a ' "•• 
.... ; foreign agent 10; also functioning under mobile IPV4 Tor communication through' '. 
^ e '"te^et 8 with (he private network 1. While this embodiment of the invention \' ' . 
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•;'v ; ^^^^f^ ^^M Ml ^apR^^t^t the hWWrijidri^s also ' 
' .^°°!%in°de:4 fs^rppng iri- the ;visitS-:r^rks 6 or- ft. 

•;;M^'fe L ^:en^ps 

^; Ac^rdjrMJ totfisp^^ IP'heatiierV 
• ^lll:^..** ,^>«qN|% * eitayptoi with anVESP trailer vje'wfmout' 
:-. ,: ; ; changing. the original, IP. header and destlnaBWaddA^ fne 'wcty^pb^W" 
: ;%10- ^encapsulated ^an ESR^hWder. ^.and ^„ :esp au aWti(^pff 18 : 

- . and assembled. with a new IP header 19 before ^ transmission. SecUriiy assodatiori" 
bundles, each comprising an outbound arid inbound communication Security. ' 
association, are established for communications over the paths 11 and 12 with the 
VPN gateways. Security association selectors check that packets to be sent using 
15- the turinel defined by each outbound security association are legitimate to be Sent 
with that security association and, in particular, that the source and destination 
. .addresses of the.packet match,. with the source.and destination addresses of-the 
; : : . . security, association, this- test being the ! outbound SA selector check} Padkete.: 
received from a tunnel defined 1 by the inbound security association are checked for 
20 legitimacy of reception with this security association and, in particular, that the 
: . source and destination addresses of the packet matph the source and destination 
addresses of the security association., this test being the inbound SA selector 
/. •/ _ check'.'.'-. . '., ■ : ''. •' 

, In tt^is erpbbdlment of the Invention the inbound security association of the : 
25 , VPN gateway 2 does not contain the! IP address of the mobile, node 4 as source 
. .address but a. wild card ("*»). Th(s allows the VPN gateway 2 to receive and '. 

; forward a .packet from the mobile node 4 whatever Care-bf address it may use. IE-. 

wlll .be noted that this is not contradictory, with IPsec protocol, since the wild card 
• val "e. is authorised, by this. protocol for .the source address selector in a .security 
, 30 ;. association, The.tunnel order is that of anMIR^nnel in the IPsec' tunnel, with'the " • 
- IPsectunnel between the ; v^N gateway 2 and thd rnpbiie^ode ^ tjsirfg the mobile.' 
•-. ' node Care<)f address as end point - . • '■: " , ', 
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-■: - ,;, ; showh 1?;*?^^ 
,;-.;.VKwHe*^ 

., •5 . ; nofte 4^ outbound Jf^p t^ 

; ■ ; node 4. haying the current rnpb'ilejnpdeicare^f address as ^odrce" address and . 
; .i **? address .W the VRN; gateway: 2 .as : de S tfnation,address, and a security - 
■ as ?° 0 !^ on atthe WN gateway 2. having a;wiid card as the soiiree address and 
t^ VPN gateway 2 address a^ 

tU " nel I 138 ? security association at the mobile node 4; With the address of the 
y. ; ,: : >.yRN gateway 2 as source address and the cu^ 

: ; node 4. as destination address, and a security association at the VPN gateway 2 ■'■ 
having the VPN gateway address assource address and the mobile node 4 Care- 
• of address as destination address. 

.15 . . ; When the mobile node moves' at 22 from one visited network to another. , for 
example, from the visited network 6 to the visited network 9. the mobile node 4 
:, fe ???n ises *at .^location has changed, for example, from, an incoming agent 
• : ; advertisement: It meri configures a new' Car^-bf address that is rotitab'le within the 
new visited network 7: Hie, mobile node 4. contains VPN client software that : 
20 responds to the change in- mobile node location, for example, in response to 
network selection middleware or by monitoring the source addresses of outbound 
packets. The VPN client software then chariges dynamically the inbound security 
> : : as «>«ation on the mobile node 4 so that its destination address is the new Care-of 
; address of the mobile node, the inbound IPsec tunnel 2V becoming a temporary . 
: 25^ : inbound IPsec tunnel 23. In this way the mobile node 4 will be able to receive ■ 
, . .;; packets securely sent by the VPN gateway 2 to its new Care-of address; otherwise 
; , . the packets would, be dropped as they would riot match the' destination address ■ 
. . included In the former Inbound IPsec tunnel 211 Similarly the VPN client software 
... changes. dynamically the outbound security association on the. mobile node' 4 so' ' 
;3Q : that its- sourde. address is! the hew ' Care-of address of the mobile node; the ■ 
f . outbound IPseo tunnel 20 becoming an. outbound IPsec, tunnel 20'; otherwise the ? . 
-.mobile riodeU would not, be able to send outgoing packets as they would not' 
;match the source address included. In the former outbbund IPsec tunnel 20: ! . 
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"0-:* ??9;stret^ . ijiatafr^;fcvtfdfc ^PV^ SsMn>this ' 
«Ss> 1 3*^j0M?ft^b3tri^$fc I, • j : ; ^y! 1 ;!-;' .K :-;v;.' ; .• O. ■>? '■.■■ O 

v'rf £ - ^ , siS^ftirigiiTi^age is reoeK^f ^ihb Vp^ gatev^in step 24. the ^ '. 

: :> V ^.: ; . sel ? cto ^ n WN gate^ay^brthe outbound tiifirtil ?b: doe^ riot reje^ ihe^abfe/ • 
: s,nce ; the S ou^ 

;\: i.-not ^,ed anditte^ck^fi fl^ed tftfiahorrfe.agWs. At ^25 WheW 

:«ode : 4...nd 1C ating the new Care-of address, If the registration request is valid die 
... home agent 5 : sends a security information update message; ("SiO') to the VPN ■ 
gateway 2 containing an order to update the security association of the temporary 
IPsec tunnel 23 on the VPN gateway. This SIU message is processed at the VPN 
15 gateway 2 by.a daemon, forexample, that is to say a background programme that 
provides services to the system. 

i / ; .^ P ° nSe :*? ^.SIU message; the VPN gateway.2 updates its security: 
./.. : , association for : me; temporary inbdundjIPsectunnei 23 to a new IPsec tunnel 26 v 
having the new Care-of address of the mobile node 4 as destination address This' ' 
20: update is performed before any packet is sent to the mobile node 4, in particular 
the registration reply. In a preferred embodiment of the invention the SIU message 
^ m «n« home agent 5 to the VPN gateway 2 includes the registratton reply to the 
. mobile node 4.',. ' •' '/■_■■ ' " .' •: ■■ ' 

'■'I ! .. . ' * WiH be appreciated that mis particular -routine of the home agent 1 is : 

• 25 tnggered only when the registration request is received through a VPN gateway^ 

such as 2, corresponding te a location of, the,m6bile node 4 outside the private - 
network 1. If me mobile, node .were situated within the private network 1/ and 

• , ;. therefore not using the VPN service; the home agent 5. would respond according 
• - to the normal routine with a normal ^regisixation reply. . : ; . 



v - A - V ? N gateway 2: forwards the registration. reply: to the mobile 

,npde,4 using the newly-establishedjnbound IPseo tunnel 26 and sends allfurther 
data packets to the new Care-of address using the tunnel 26 until further notice v . 
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*/- - :" ' ^ ^^^^ ^^^r p^Sl s 'f^#rt»o"r»_ rrer-ciiJiersV <cJoes=.rTiot ;su<5cs«Wrf jtt^e, hbrne .agent 5/ • ' 
;:. .r;" \ 1h© process ls ; rrot Irrem^lably' cpmpromised': jvlo ; re^dn^n-teji^wM be received 7 7 >\ 
: V:: ! 7 ®M h ^ horne ' 

i;,^' >: Wf!^ ,;S ;Contjnyes;; mtf/tp ,accept the- isgist&tlon 'requests; iha moibile^iod^ 4 will ' - ; \ 
.; ■:: :5_<- ; . ulttmately ajbandcanrt^ attempt and . establfeti a new:-tunnel«^ 
; : 7 : r a^Jdressj with^ 

- Jnyentipa. This situation is inherent in mobile ip;s^nanqs: - ' 7"- 7 ! . 7 7' 
• ' Figure 4. iligstrates the routines folfoweo\ by the horii^ the" /. 

V above process/The routine.begfns at 23 and s*$^>;29 : an InpuViifecelyed Jh the : 
; f ;10 -; Iprm of a registnatibn request from Immobile node .^4, A check Is made. at step 30 v 
;;•:»;- ; ::wh;ether : t^ wTid^M ft ^'hi^^fi dM^-^ 

the registration, the routine terminates at 31. If the home agent 5 does accept the 7r . 
registration request, a check Is made at 32 whether the registration request was 
received through a VPN gateway such as 2, If it was not, a registration reply fs 
: 1 5 : built and sent directly to the: mobile node 4 over the private network 1 at step 33. If 
the registration request was received through a VPN gateway such as 2, a 
■ ; registration^ . 
\ Included in a ftew packet ' generated by agents, at "35 and which; also v 

contains the former Care-of ; address and the" new Care^of address of the mobile 
20 node 4. That packet is then sent at step 36 to the VPN' gateway 2 and the routine 
terminates again at 31 « 



